An era where you can’t sell a car without getting ‘cyber security certification’

Increasing in-vehicle IT functions and strengthening hacking prevention
Mandatory sales conditions starting in Europe in July… Applied in Korea from the second half of next year
‘IT talent shortage’ for small and medium-sized auto parts companies
“We need 1.5 times more manpower… Difficult”

As information technology (IT) functions in automobiles increase, anti-hacking regulations are being strengthened for automakers and parts manufacturers. Large companies are responding quickly, but small and medium-sized companies are having difficulty securing IT personnel.

According to the automobile industry on the 12th, cyber certification has been applied as a mandatory sales condition for all mass-produced vehicles in the 56 member countries of the United Nations Economic Commission for Europe (UNECE) since July. Vehicles can be sold in Europe only if they receive automotive cybersecurity management system (CSMS) certification according to the standards of the International Organization for Standardization (ISO).

In Korea, the revision to the Automobile Management Act was passed in February. It requires that automobile cybersecurity systems be in line with international standards. In Korea, it will be applied to new vehicles starting in the second half of next year (July-December).

The reason for the strengthening of regulations is that the number of vehicles equipped with various IT functions is increasing. Recently, new vehicles are equipped with Level 2 autonomous driving functions, and they can watch videos in the car and use navigation and artificial intelligence (AI) assistants. According to the National Center for Manufacturing Science (NCMS) in the United States, the most luxurious vehicles these days are equipped with 1,000 to 3,000 microchips and about 150 electronic control units (ECUs).

This trend is expected to strengthen further. Market research firm Presidency Research analyzed that the market size of software-centric vehicles (SDVs), which is expected to be 42.5 billion dollars (about 57 trillion won) this year, will increase 3.5 times to 147.8 billion dollars (about 197 trillion won) by 2030.

As the spread of future vehicles increases, concerns are growing that hackers could infiltrate the vehicle’s software to hijack the vehicle or steal personal information.

The market for developing automotive security software and helping with related certification is also growing. Among domestic companies, Autocrypt is leading the industry, and companies such as ETAS Korea (Germany) and Argus (Israel) are also increasing their presence in Korea. According to consulting firm McKinsey, the global automotive cybersecurity market is expected to grow from $4.9 billion (about 7 trillion won) in 2020 to $9.7 billion (about 13 trillion won) in 2030. However, small and medium-sized automotive parts companies are having difficulties. In order to supply parts equipped with ECUs to automakers, they must also apply security software and receive global certification for it.

Small and medium-sized companies are unable to respond appropriately due to a lack of human resources and financial resources. Sang-gon Ahn, head of the research planning team at AM Co., a component manufacturer, said, “If you contact a consulting firm to apply a cybersecurity process, they will ask for 200 to 300 million won, which is a burden for small and medium-sized companies.” He added, “In order to meet cybersecurity standards, 1.5 times the number of existing development personnel is needed, but small and medium-sized companies have difficulty recruiting personnel because their annual salaries are not high.”

In relation to this, there are voices calling for government support. Kim Hyung-wook, director of Autocrypt, emphasized, “Small and medium-sized enterprises lack knowledge of cybersecurity and are at a loss as to where to start,” and “There needs to be more support measures to help them than there are now.” Jang Hong-chang, senior researcher at the Korea Automobile Research Institute, pointed out, “Additional training of personnel is needed so that small and medium-sized enterprises can also supply personnel related to cybersecurity.”